[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[minion-cvs] Begin migrating to support the spec"s alternative SSL c...
Update of /home/minion/cvsroot/src/minion/src
In directory moria.mit.edu:/tmp/cvs-serv22264/src
Modified Files:
tls.c
Log Message:
Begin migrating to support the spec's alternative SSL crypto suite.
The spec says that we should support an alternative (and more common)
crypto suite for client-to-server communications. The alternative
suite is only present in SSL3; the preferred one is in TLS1.
Older versions of the code are configured to generate only TLS1
connections -- and (previously unknown to me) accept only TLS1
connections. To do the right thing, we need to accept TLS1 and SSL3,
but generate only TLS1. This patch does that.
Index: tls.c
===================================================================
RCS file: /home/minion/cvsroot/src/minion/src/tls.c,v
retrieving revision 1.29
retrieving revision 1.30
diff -u -d -r1.29 -r1.30
--- tls.c 17 Oct 2003 13:24:45 -0000 1.29
+++ tls.c 19 Oct 2003 05:21:45 -0000 1.30
@@ -122,6 +122,7 @@
mm_RSA *rsa = NULL;
int err = 0;
+ SSL_METHOD *method = NULL;
SSL_CTX *ctx = NULL;
DH *dh = NULL;
BIO *bio = NULL;
@@ -138,11 +139,20 @@
Py_BEGIN_ALLOW_THREADS;
+ if (certfile) {
+ /* Accept SSL2 and SSL3 and TLS1. */
+ method = SSLv23_method();
+ } else {
+ /* Generate only TLS1. */
+ method = TLSv1_method();
+ }
/* Allow SSL2 and SSL3 and TLS1 */
- if (!(ctx = SSL_CTX_new(SSLv23_method())))
+ if (!(ctx = SSL_CTX_new(method)))
err = 1;
/* But not actually SSL2. */
- SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
+ if (certfile) {
+ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
+ }
if (!err && !SSL_CTX_set_cipher_list(ctx,
TLS1_TXT_DHE_RSA_WITH_AES_128_SHA))
err = 1;